[USG Flex 100] No NetBIOS over SSL VPN
I just set up an SSL VPN on a USG Flex 100 requesting NetBIOS broadcast over this connection but it doesn't work. I would like to access an SMB share on the network, it works on the local network using the computer name but not over the SSL VPN remote connection. Using the IP address in the UNC works correctly on the SSL VPN connection by the way.
Any idea of what could be wrong ?
Zyxel_Emily Posts: 1,064
Hi @ Sébastien,
PC1(192.168.1.33)----(LAN1)USG FLEX 100 (WAN) ----Internet-----PC2 (SSL VPN client: 192.168.70.1)
Note: The SSL VPN pool cannot conflict with any WAN/LAN1/LAN2/DMZ subnet even if they are not in use.
Capture packets on interface lan1.
On PC2, enter \\PC1_hostname
Stop packet capture, download the file and open both captured files.
Check if USG FLEX 100 receives the name query packet from PC2.
If it does receive the name query packet, it means there is no problem with the function “NetBIOS broadcast over SSL VPN”.
When trying to troubleshoot this issue I found something interesting related to the configuration I made on this USG Flex 100.
Wan IP address is part of the 192.168.1.0/24 subnet, fixed IP 192.168.1.200 (provider box).
As Wan IP address is part of the same subnet as lan1 predefined in the router, I switched all the ports to lan2 (P3 to P6). These ports are now part of the lan2 subnet 192.168.2.0/24. I also disabled lan1 in Interface > Ethernet > Configuration
VPN IP pool is 192.168.2.250 - 254 so in the correct subnet.
What I noticed in the logs is that, when I try to access the share using NetBIOS over VPN, the broadcast is made on the 1.0/24 subnet (port 138) which is not the right one !
Here is the log line :92020-09-21 10:49:30noticeSecurity Policy ControlMatch default rule, DROP [count=2]192.168.1.1:138192.168.1.255:138ACCESS BLOCK
I just wonder why it "searches" for the NetBIOS name on lan1 despite it knows it is on lan2.
What do you think of that ?
Thanks a lot for your answer.
You're right, I get an answer when trying to reach the share :
The big question now is why it works with the IP address and not with the computer name as it is resolved correctly. Maybe a Windows issue.
PS. : I configured this USG to have a similar topology to yours, but I had to add a routing policy to be able to ping the host inside the LAN2.0
- 8.5K All Categories
- 1.6K Nebula
- 72 Nebula Ideas
- 57 Nebula Status and Incidents
- 4.5K Security
- 227 Security Ideas
- 985 Switch
- 46 Switch Ideas
- 882 WirelessLAN
- 24 WLAN Ideas
- 5.2K Consumer Product
- 158 Service & License
- 280 News and Release
- 99 Success Stories
- 61 Security Advisories
- 13 Education Center
- 581 FAQ
- 263 Nebula FAQ
- 160 Security FAQ
- 76 Switch FAQ
- 75 WirelessLAN FAQ
- 7 Consumer Product FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 62 About Community
- 46 Security Highlight